Migrate configuration from Shorewall to Pfsense.



  • Hello ,

    I want to migrate a client configuration from Shorewall to Pfsense.

    In the current FW have two IPsec VPN for two different providers , this no have any problem.

    The context is this : we have some equipments in a network of mobile providers and these send some information to application server in our Lan. we have two von to connect to network provider and routing a traffic to our Lan.

    This two provider are totally different.

    The equipments send a information to one of virtual IP in actual FW and when the packets arrive at FW we change a original destination IP from to original destination to new and this new is a IP at server in a Lan.

    This Dnat us change in pre routing.

    The scheme is this ( this graph no show real IP, i change):

    IpSec VPN                                                                                                LAN
    VPN < –------------------------------ > 190.43.23.3 : FW Linux IP : 192.168.10.15 < --- ----------------------- > Server 192.168.10.20
                                                                                Virtual IP Client : 192.168.90.2

    Original Package Source : from 192.168.5.20:1234 to 192.168.90.2
    Change the destination FW : from 192.168.90.2:1234 to 192.168.10.20:1234

    This setting can not be changed because there are multiple external devices that use it so it would be very expensive to change.

    Two rules in the actual firewall are :

    Chain PREROUTING (policy ACCEPT 1352K packets, 220M bytes)
    pkts bytes target    prot opt in    out  source              destination
    856K  126M net_dnat  all  --  eth1 *      0.0.0.0/0            0.0.0.0/0

    Chain net_dnat (1 references)
    pkts    bytes  target  prot opt in    out    source                  destination
    41263 4004K  DNAT  udp  --  *      *      192.168.5.0/19      0.0.0.0/0          udp dpt:1314 to:192.168.10.20
    34234 3314K  DNAT  udp  --  *      *      192.168.5.0/19      0.0.0.0/0          udp dpt:3066 to:192.168.10.20

    It must be assumed that all routes work well , the problem is more of DNAT .

    Someone can tell me how you'd do:

    1. Configure a virtual interface .
    2. Is it posible to seup this Dnat in pre routing in pfSense

    If it no any clear, please ask me.

    Sorry for my english.

    I would appreciate your help.

    Thank you.


Log in to reply